Cybersecurity’s Tower of Babel: Why we are still lost in translation
When leadership teams and security functions operate in different languages of risk, critical signals might be dismissed until the problem has escalated
Add BT as a preferred source
DeeperDive is a beta AI feature. Refer to full articles for the facts.
BUSINESS leaders like to believe that in a crisis, the enterprise will instinctively pull together. Experience suggests otherwise.
The biblical story of the Tower of Babel is a useful reminder: Projects do not fail because of a lack of ambition; they fail because people stop understanding one another.
Today’s corporate world is living out a digital version of that myth. Boards, leadership teams and IT departments confront the same cybersecurity threats, but describe them in mutually unintelligible languages.
Boards speak of risk appetite and shareholder value while IT teams speak of zero trust, telemetry and patch management.
For years, this mismatch was tolerated. Cybersecurity was treated as a “black box” technical issue delegated to the chief investment officer or chief information security officer (CISO).
That era is over. The “it’s too technical” defence has expired, dismantled by two shifts: the evolution of fiduciary duty and the democratisation of knowledge via artificial intelligence, even as the same technology accelerates the threats organisations now face.
Navigate Asia in
a new global order
Get the insights delivered to your inbox.
At the same time, AI is reshaping the threat landscape itself. Recent reports have warned that attackers are using AI to move faster and operate at greater scale, compressing the window between vulnerability discovery and exploitation.
As more advanced AI models enter real-world testing, organisations are being forced to contend not just with more sophisticated threats, but with the speed at which they unfold.
Research also highlights how persistent this disconnect remains. A study by IANS Research found that many boards and CISOs still struggle to align on cyber risk priorities, with conversations continuing to be framed in technical metrics rather than business consequences.
Similarly, the World Economic Forum’s Global Cybersecurity Outlook 2026 found that while 99 per cent of highly resilient organisations report board engagement in cybersecurity, fewer than half have clearly defined board-level oversight of the issue.
When leadership teams and security functions operate in different languages of risk, critical signals can be misunderstood or dismissed until the problem becomes impossible to ignore.
The financial consequences rarely appear as a single line item. They surface in earnings calls, regulatory scrutiny and boardroom accountability, while the deeper damage unfolds slowly through lost trust and reputational drag.
The high cost of silence
When translation breaks down, consequences escalate quickly.
In December 2025, South Korea’s largest e-commerce platform, Coupang, disclosed a breach – affecting 33.7 million customers – that had gone undetected for five months. Security alerts existed, but they were never escalated to the executive level until the incident triggered a parliamentary inquiry.
The fallout was swift. The chief executive stepped down, and regulators moved to tighten the country’s Personal Information Protection Act, holding senior executives personally liable for major data breaches. What began as a technical signal within the security team ultimately became a governance crisis at the highest levels of the company.
A similar pattern surfaced in 2024 when investigations revealed that the intrusion by advanced persistent threat actor Salt Typhoon had compromised at least nine US telecommunications firms, including AT&T and Verizon.
Some lawmakers described it as the largest telecom hack in US history. As congressional scrutiny intensified, senators requested security assessments from telecom operators.
Meanwhile, the US Cyber Safety Review Board, which had been examining the incident was disbanded, raising concerns about the continuity between technical findings and national oversight.
Together, these developments exposed how fragile the bridge can be. It is precisely this translation gap that allows cyber risks to escalate.
Across different contexts, the underlying weakness remains unchanged. In both cases, the issue was not simply one of intelligence or tooling, but of translation.
Security signals did not move upwards with sufficient clarity, urgency, or accountability.
IT teams are often measured on uptime and technical execution. Boards and leadership teams are measured on growth, performance and continuity.
Each group acts rationally within its own remit, yet collectively they can create a system that overlooks systemic risk until the house is already on fire.
The common thread is an uncomfortable one. These were failures of incentives, not just intelligence. They were not merely breakdowns in code, but breakdowns in oversight.
Bringing IT back to the boardroom
The competency boards need now is not technical mastery, but informed challenge.
Regulators, particularly in mature financial hubs like Singapore, are sharpening expectations around cybergovernance.
In March 2026, the Monetary Authority of Singapore updated its operational risk management guidelines, reinforcing supervisory expectations that financial institutions must strengthen cyber resilience and board oversight.
Similar regulatory shifts are emerging globally, signalling that cybersecurity governance is no longer optional boardroom literacy but a baseline expectation.
Consider the standard applied to financial literacy. No one expects every director to be a forensic accountant. A competent board must understand profit and loss, solvency ratios and audit implications.
If a chief financial officer proposed a high-risk derivative strategy, a credible board would push back. Silence would be negligence.
Cybersecurity now demands the same baseline literacy. It belongs on the risk register as a business risk, akin to regulatory, legal and reputational exposure.
A board that cannot meaningfully challenge a CISO’s strategy is not governing the risk it owns.
For years, jargon was a convenient barrier. Cybersecurity was dense, acronym-heavy and opaque. This excuse is wearing thin.
The rise of generative AI has materially lowered that barrier, acting as a translator between technical abstraction and business consequence.
Directors no longer need a degree in computer science to explore risk scenarios, understand threat dynamics, or grasp what a zero-day vulnerability actually means for the enterprise.
In this new reality, complexity is no longer a sufficient defence for weak oversight. The tools to bridge the gap exist.
The organisations that endure will not necessarily be those with the most expensive firewalls. They will be the ones where the board, leadership team and security function share a common language.
In a world of constant digital threat, the greatest risk is not the hacker, but the silence between the silos.
The writer is executive vice-president of international business and commercial at Ensign InfoSecurity
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Copyright SPH Media. All rights reserved.
